The ever-present threat of payment card fraud and the increasing burden that comes with the effective management of your payment card program has made the implementation of a management system a business critical requirement.
Now, imagine being able to harmonise the management system of the ISO/IEC 27001:2022 standard with the robustness of the PCI DSS 12 requirements? This is exactly the approach taken by the 27k1 PCI DSS platform.
Employing the principles from Clause 6.1.3 of the ISO/IEC 27001:2022, Clauses 4 to 10 remain whilst the Annex A controls are replaced by the PCI DSS 12 requirements – creating a PCI DSS Statement of Applicability (SOA). This helps entities to create a suitable management system for the treatment of the risks to their payment card operations.
Consequently, entities can create a hybrid between two ‘Best in Class’ industry information security standards, aka:
- A Payment Card Security Management System (PCSMS)
Such an approach will help to meet some of the latest enhancements that arrived in March 2022 with the release of PCI DSS v4.0, e.g:
- #.1.1 – Requirement specific policies.
- 27k1 includes a document management system.
- #.1.2 – Defined roles.
- Incorporated as part of the 27k1 management system.
- – Risk Management.
- 3.1 – Tactical Risk Assessments, supported through the 27k1 Risk Manager
- – PCI DSS Program Management.
- – PCI DSS Scope validation and documentation.
In addition, the 27k1 solution also helps to simplify the annual compliance submission by automatically populating the official Self-Assessment Questionnaires (SAQs) from the inputs into the 27k1 platform.
Furthermore, imagine the potential enhancements that can be gained:
- An effective management system to help ensure that all mandatory tasks have been assigned and tracked for completion.
- An integrated solution to ensure that all supporting documentation and evidence is easily accessible.
- The potential to use your PCSMS to have your payment card operations certified against ISO/IEC 27001:2022.
- The potential to use your ISO/IEC 27001:2022 certified payment card operations (PCSMS) to meet the requirements of GDPR article 42 – Certification, by an accredited certification body (GDPR article 43) / UK DPA 2018 – Chapter 2, Para 17.
The harmonisation between the management system, from the ISO/IEC 27001:2022, and the payment card specific PCI DSS security controls can help you to create a ‘Best in Class’ PCSMS, which in turn will enable you to simplify your PCI DSS compliance obligations and to significantly reduce the risks to your payment card operations.
About Jim Seaman
Jim is the founder of IS Centurion Consulting Ltd, based in Castleford, Yorkshire. Jim has been dedicated to the pursuit of security throughout his extensive career. He served 22 years in the RAF Police, covering a number of specialist areas including physical security, aviation security, information security management, IT security management, cybersecurity management, security investigations, intelligence operations, and incident response and disaster recovery.
He has successfully transitioned his skills to the corporate environment and now works in areas such as financial services, banking, retail, manufacturing, e-commerce, and marketing. He is highly qualified within the information security sector, applying his skills to help businesses enhance their cybersecurity and InfoSec defensive measures and work with various industry security standards.
Jim is a published author, writing definitive guides to PCI DSS compliance and Protective Security, the books being available to purchase on Amazon.